cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mynaxyss
Level 7
Report Inappropriate Content
Message 1 of 4
‎11-15-2018 08:22 AM

ExP:Invalid Call

Hello,

I'm getting a lot of this exploit prevention : invalid call wich was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE or C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

I want to know  if it's a false alarm or if you are aware of this problem.

Any help would be really appreciated!

thanks 

0 Kudos
Reply
3 Replies
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4
‎02-28-2019 08:49 AM

Re: ExP:Invalid Call

Hello,

Both IEXPLORER and CHROME fall under the list of possible Buffer Overflow affected applications but bear in mind that such vulnerabilities are fixed in the background from their vendors.

I do not see full details of the event you get but at first sight it seems that external process tried to reach memory used by these processes. Since they both interact with OS components it is possible that it is a legitimate event but in case you suspect malicious activity you can run a GetSusp on that machine, clean the browsers cache and run a full scan.

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
0 Kudos
Reply
mynaxyss
Level 7
Report Inappropriate Content
Message 3 of 4
‎03-01-2019 01:55 AM

Re: ExP:Invalid Call

Hello, 

thanks for your response 

you can see below the complete event :

2019-02-27 12:07:02 timestamp="2019-02-27 12:07:02.607", AutoID="399916666", signature="ExP:Invalid Call", threat_type="IDS_THREAT_TYPE_VALUE_BOP", signature_id="18055", category="hip.bo", severity_id="2", event_description="A suspicious call was detected and blocked", detected_timestamp="2019-02-27 12:05:22.0", file_name="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE", target_hash="a839ebb5d127a9872a897fe81c2a861b", detection_method="Exploit Prevention", vendor_action="blocked", AnalyzerContentCreationDate="2019-01-31 22:45:48.0", AnalyzerContentVersion="10.6.0.8966", AnalyzerRuleID="6013", AnalyzerRuleName="Suspicious Function Invocation - CALL Not Found", SourceDescription="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE --CHANNEL=205868.119.1156748700\1582519969 C:\USERS\DIETZTR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F608DHH5.DEFAULT\GMP-WIDEVINECDM\4.10.1196.0 -GREOMNI C:\PROGRAM FILES (X86)\MOZILLA FI", TargetSigned="1", TargetSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessSigned="1", TargetParentProcessSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessName="FIREFOX.EXE", TargetParentProcessHash="79b2c84686d2aa43ad202d3bfd2013b0", TargetName="PLUGIN-CONTAINER.EXE", TargetPath="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX", TargetFileSize="103376", TargetModifyTime="2018-12-07 0

I don't inderstand the reason of this invalid call 

would you have an explanation for this ?

thanks, 

regards, 

 

0 Kudos
Reply
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎03-03-2019 02:25 AM

Re: ExP:Invalid Call

 

 

Hello,

To me it looks like false positive because both source and target are clearly Mozilla processes.

You can fid additional information here:

https://support.mozilla.org/bg/kb/what-is-plugin-container

Also it seems there is a know behavior with rule 6015 and event id 18055:

https://kc.mcafee.com/corporate/index?page=content&id=KB90074

For additional information this is the rule description:

Signature 6015Signature 6015

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC